SEC Consult SA-20170407-0 :: Server-Side Request Forgery in MyBB forum

--------------ms020901030400090708080208
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170407-0 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Server Side Request Forgery (SSRF) Vulnerability
            product: MyBB
 vulnerable version: 1.8.10
      fixed version: 1.8.11
         CVE number: CVE-2017-7566
             impact: Medium
           homepage: https://mybb.com/
              found: 2017-03-03
                 by: Wan Ikram (Office Kuala Lumpur)
                     Fikri Fadzil (Office Kuala Lumpur)
                     Jasveer Singh (Office Kuala Lumpur)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Mo=
scow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Z=
urich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"With everything from forums to threads, posts to private messages, searc=
h to
profiles, and reputation to warnings, MyBB features everything you need t=
o run
an efficient and captivating community. Through plugins and themes, you c=
an
extend MyBBs functionality to build your community exactly as youd like=
 it."

Source: https://mybb.com/


Business recommendation:
------------------------
The patch should be installed immediately if cURL functions are disabled.=


Furthermore, SEC Consult recommends to perform a thorough security review=
 of
this software.


Vulnerability overview/description:
-----------------------------------
1. Server-Side Request Forgery
An attacker is able to initiate socket connections with arbitrary systems=
 using
the internal network interface of the server via the web applications "C=
hange
Avatar" function. This vulnerability can be used to identify internal hos=
ts and
perform internal port scanning.


Proof of concept:
-----------------
1. Server-Side Request Forgery
This vulnerability can be exploited by an attacker with a registered acco=
unt
as low as a normal account. If the server which is hosting the web applic=
ation
disallows cURL functions, the application will use the "fsockopen" functi=
on as an
alternative. Below is the example on how the SSRF issue can be exploited.=


URL     : http://$DOMAIN/usercp.php
METHOD  : POST
PAYLOAD : avatarurl=3Dhttp://$IP:$PORT:80


Vulnerable / tested versions:
-----------------------------
MyBB version 1.8.10 has been tested. This version was the latest version
at the time the security vulnerability was discovered.


Vendor contact timeline:
------------------------
2017-03-09: Contacting vendor through the "Private Inquiries" forum at
            https://community.mybb.com/forum-135.html
2017-03-09: Advisory sent through the "Private Inquiries". Vendor has
            confirmed the issues. No specific date on the fix was given
2017-03-17: Vendor confirmed the vulnerability; working on the fix
2017-03-31: Requesting a status update.
2017-04-04: Patch released by the vendor.
2017-04-07: Public release of advisory.


Solution:
---------
Upgrade to MyBB 1.8.11

For further information see:
https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/=



Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Fikri Fadzil / @2017


--------------ms020901030400090708080208
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CxgwggSvMIIDl6ADAgECAhEA4CPLFRKDU4mtYW56VGdrITANBgkqhkiG9w0BAQsFADBvMQsw
CQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4
dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTE0MTIyMjAwMDAwMFoXDTIwMDUzMDEwNDgzOFowgZsxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAImxDdp6UxlOcFIdvFamBia3uEngludRq/HwWhNJFaO0jBtgvHpRQqd5jKQi3xdh
TpHVdiMKFNNKAn+2HQmAbqUEPdm6uxb+oYepLkNSQxZ8rzJQyKZPWukI2M+TJZx7iOgwZOak
+FaA/SokFDMXmaxE5WmLo0YGS8Iz1OlAnwawsayTQLm1CJM6nCpToxDbPSBhPFUDjtlOdiUC
ISn6o3xxdk/u4V+B6ftUgNvDezVSt4TeIj0sMC0xf1m9UjewM2ktQ+v61qXxl3dnUYzZ7ifr
vKUHOHaMpKk4/9+M9QOsSb7K93OZOg8yq5yVOhM9DkY6V3RhUL7GQD/L5OKfoiECAwEAAaOC
ARcwggETMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8DveAky1QaMB0GA1UdDgQWBBSSYWuC
4aKgqk/sZ/HCo/e0gADB7DAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVybmFs
Q0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQELBQADggEBABsqbqxVwTqriMXY7c1V86prYSvACRAj
mQ/FZmpvsfW0tXdeDwJhAN99Bf4Ss6SAgAD8+x1banICCkG8BbrBWNUmwurVTYT7/oKYz1gb
4yJjnFL4uwU2q31Ypd6rO2Pl2tVz7+zg+3vio//wQiOcyraNTT7kSxgDsqgt1Ni7QkuQaYUQ
26Y3NOh74AEQpZzKOsefT4g0bopl0BqKu6ncyso20fT8wmQpNa/WsadxEdIDQ7GPPprsnjJT
9HaSyoY0B7ksyuYcStiZDcGG4pCS+1pCaiMhEOllx/XVu37qjIUgAmLq0ToHLFnFmTPyOInl
tukWeh95FPZKEBom+nyK+5swggZhMIIFSaADAgECAhAriv4GJbNgG4KONRhUqx20MA0GCSqG
SIb3DQEBCwUAMIGbMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy
MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UE
AxM4Q09NT0RPIFNIQS0yNTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMTcwMzAxMDAwMDAwWhcNMjAwMjI5MjM1OTU5WjCCAVcxCzAJBgNVBAYTAkFU
MQ0wCwYDVQQREwQyNzAwMRowGAYDVQQIExFOaWVkZXJvZXN0ZXJyZWljaDEVMBMGA1UEBxMM
V3IuIE5ldXN0YWR0MRkwFwYDVQQJExBLb21hcmlnYXNzZSAxNC8xMS4wLAYDVQQKEyVTRUMg
Q29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIMUkwRwYDVQQLE0BJc3N1ZWQgdGhy
b3VnaCBTRUMgQ29uc3VsdCBVbnRlcm5laG1lbnNiZXJhdHVuZyBHbWJIIEUtUEtJIE1hbmFn
MR8wHQYDVQQLExZDb3Jwb3JhdGUgU2VjdXJlIEVtYWlsMSYwJAYDVQQDEx1TRUMgQ29uc3Vs
dCBWdWxuZXJhYmlsaXR5IExhYjEnMCUGCSqGSIb3DQEJARYYcmVzZWFyY2hAc2VjLWNvbnN1
bHQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5+LisxDXcLwArMnTESPr
5G/6PY0xWAvPc81sZGgHbf4at31qtZn9eVMGAPx4nJShJVZsB3+0OavWSM1PvcsMgVp8ovIf
gnE05A/LZ4k38pMU+Zl0pcGx5TFQevKmCDwqV9JqLIoleIKHCeQVmZhGC7zccEYvKtvQqWsq
VJDFHPZisoIGl9YS048T8c9al1FQtIx3SDtxZhyigHI1t8kFAHloWGP8KCMIMX6g9FlTIlnQ
YFUAkQ/49KRyUDEHdRZey9hQLuvrgRKWZn1TxeTWW41IZKUQC6Lhb3LgrQzUQoR7dbdASh+3
sqiw1642dkyxChRoOptpoC1Wo5HLTELzYQIDAQABo4IB4DCCAdwwHwYDVR0jBBgwFoAUkmFr
guGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFBEBR5dneBkup36i0hf8pUVsEpMlMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcD
AjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3Nl
Y3VyZS5jb21vZG8ubmV0L0NQUzBdBgNVHR8EVjBUMFKgUKBOhkxodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9TSEEyNTZDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls
Q0EuY3JsMIGQBggrBgEFBQcBAQSBgzCBgDBYBggrBgEFBQcwAoZMaHR0cDovL2NydC5jb21v
ZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp
bENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMCMGA1UdEQQc
MBqBGHJlc2VhcmNoQHNlYy1jb25zdWx0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAQ9HL1/pw
/3RSCgHwSKfAejchG11KoLrm+7xdqBC1nVgJaQeX8smjraljd1PAL4KthtNP0Tr+DNr4d4hQ
WwHz/LnB0iap44v8LTaHTDUbWYD5NsOg8sD1JMQI8Jt6vC7Im+9O/rHxmvhL18hWoK4aIK/k
QG7eOfO5UmurKh7StuhE3t4KKEQnSTUCy+kNe8ut4KZdRs+o+mpSH09ecLo99Qs/FuaZMTgh
hZWkcSC1YT1jQDIF3lRDk+/+HbQ0h34tgPi/wJlI/7moci7B2AzYWFeHWcrGnuE6kZkRWtQV
F/u1NODSMp1DU3EzHLueYNufSYLWHh+yyzNnaoP5u7oLeDGCBEEwggQ9AgEBMIGwMIGbMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0y
NTYgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECECuK/gYls2Ab
go41GFSrHbQwDQYJYIZIAWUDBAIBBQCgggJhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw
HAYJKoZIhvcNAQkFMQ8XDTE3MDQwNzA5MzQwOVowLwYJKoZIhvcNAQkEMSIEIDmbX+mbwoiU
BIwhkZZZTt7b6rH8FPEjf84G76I23XN/MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEq
MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwIC
AUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgcEGCSsGAQQBgjcQBDGBszCBsDCBmzELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KO
NRhUqx20MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP
IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh
dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAriv4GJbNgG4KONRhUqx20MA0GCSqGSIb3DQEB
AQUABIIBAGnkku25oKxYEoZ9uWTqY1lHjElfPc/MAO0dvs2IlnJEcfDdls9yNRJD3R8t7MmU
Jck3UeR9akkYbEJfLa1vIY1VGyIPKeeirW8zuNBCvvNhNqZj2dv7Ye5JQp6nY6mubAsEr4Eb
wOqLVj0cz5W897XQGvIbO2vy4V0+r6q3KC2fkz2G9lyTdTPbxWZZ9p/m8/Vby/CPvboizzzj
Uks7fyAoD1CahKVpoKSBH50ig6LjikR1OXbtsQNWm3OdMiKv9SrAbvU3KWxvjtj99ZJux47d
4ZHJ7L0oMt4F7/A7a4IbjokhQ24NuthxVL12e1M354Is4QAkkLiuifWVk1qDnPQAAAAAAAA=
--------------ms020901030400090708080208--